mirror of
https://github.com/zulip/zulip.git
synced 2025-10-23 04:52:12 +00:00
puppet: Add ksplice uptrack for kernel hotpatches.
This commit is contained in:
Alex Vandiver
committed by
Tim Abbott
Tim Abbott
parent
fafe1a31d7
commit
32149c6a1c
27
puppet/zulip_ops/manifests/ksplice_uptrack.pp
Normal file
27
puppet/zulip_ops/manifests/ksplice_uptrack.pp
Normal file
@@ -0,0 +1,27 @@
|
||||
class zulip_ops::ksplice_uptrack {
|
||||
file { '/etc/uptrack':
|
||||
ensure => 'directory',
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0755',
|
||||
}
|
||||
$ksplice_access_key = zulipsecret('secrets','ksplice_access_key','')
|
||||
file { '/etc/uptrack/uptrack.conf':
|
||||
ensure => file,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0644',
|
||||
content => template('zulip_ops/uptrack/uptrack.conf.erb'),
|
||||
}
|
||||
$setup_apt_repo_file = "${::zulip_scripts_path}/lib/setup-apt-repo-ksplice"
|
||||
exec{ 'setup-apt-repo-ksplice':
|
||||
command => $setup_apt_repo_file,
|
||||
unless => "${setup_apt_repo_file} --verify",
|
||||
}
|
||||
Package { 'uptrack':
|
||||
require => [
|
||||
Exec['setup-apt-repo-ksplice'],
|
||||
File['/etc/uptrack/uptrack.conf'],
|
||||
],
|
||||
}
|
||||
}
|
||||
@@ -1,6 +1,7 @@
|
||||
class zulip_ops::profile::base {
|
||||
include zulip::profile::base
|
||||
include zulip_ops::munin_node
|
||||
include zulip_ops::ksplice_uptrack
|
||||
|
||||
$org_base_packages = [# Management for our systems
|
||||
'openssh-server',
|
||||
|
||||
66
puppet/zulip_ops/templates/uptrack/uptrack.conf.erb
Normal file
66
puppet/zulip_ops/templates/uptrack/uptrack.conf.erb
Normal file
@@ -0,0 +1,66 @@
|
||||
[Auth]
|
||||
accesskey = <%= @ksplice_access_key %>
|
||||
|
||||
[Network]
|
||||
# Proxy to use when accessing the Uptrack server, of the form
|
||||
# [protocol://][username:password@]<host>[:port], where
|
||||
# * protocol is the protocol to connect to the proxy (http or https)
|
||||
# * the username and password are the authentication
|
||||
# information needed to use your proxy (if any).
|
||||
# * host and port are the hostname/ip address and port number used to
|
||||
# connect to the proxy
|
||||
#
|
||||
# The proxy must support making HTTPS connections. If this is unset,
|
||||
# Uptrack will look for the https_proxy, HTTPS_PROXY, and http_proxy
|
||||
# environment variables in that order, and then finally look for a
|
||||
# proxy setting in the system-wide GConf database, if available and
|
||||
# enabled below.
|
||||
#
|
||||
# You can also set this to "None" to force Uptrack not to use a proxy,
|
||||
# even if one is set in the environment.
|
||||
https_proxy =
|
||||
|
||||
# Look for proxy setting in the system-wide GConf database, if it's
|
||||
# not set in the above variable or in an environment variable.
|
||||
#
|
||||
# This is broken in later versions of Ubuntu (and other distros too)
|
||||
# so we disable this by default. See LP: #812940.
|
||||
gconf_proxy_lookup = no
|
||||
|
||||
### Uptrack Local Server options ###
|
||||
|
||||
# The path to the CA certificate file used to verify the Uptrack
|
||||
# server.
|
||||
#ssl_ca_cert_file =
|
||||
|
||||
# The directory for CA certificate files used to verify the Uptrack
|
||||
# server.
|
||||
#ssl_ca_cert_dir =
|
||||
|
||||
# The location of the Uptrack updates repository.
|
||||
#update_repo_url=
|
||||
|
||||
### End of Uptrack Local Server options ###
|
||||
|
||||
[Settings]
|
||||
# Automatically install updates at boot time. If this is set, on
|
||||
# reboot into the same kernel, Uptrack will re-install the same set of
|
||||
# updates that were present before the reboot.
|
||||
install_on_reboot = yes
|
||||
|
||||
# Automatically install all available updates at boot time, even if
|
||||
# rebooted into a different kernel.
|
||||
#upgrade_on_reboot = yes
|
||||
|
||||
# Uptrack runs in a cron job every few hours to check for and download
|
||||
# new updates. You can can configure this cron job to automatically
|
||||
# install new updates as they become available.
|
||||
#
|
||||
# Enable this option to make the cron job automatically install new
|
||||
# updates.
|
||||
#
|
||||
# Please note that enabling autoinstall does not mean the Uptrack
|
||||
# client itself is automatically upgraded. You will be notified via
|
||||
# e-mail when a new Uptrack client is available, and it can be
|
||||
# upgraded through your package manager.
|
||||
autoinstall = yes
|
||||
80
scripts/lib/setup-apt-repo-ksplice
Executable file
80
scripts/lib/setup-apt-repo-ksplice
Executable file
@@ -0,0 +1,80 @@
|
||||
#!/usr/bin/env bash
|
||||
set -x
|
||||
set -e
|
||||
set -u
|
||||
set -o pipefail
|
||||
|
||||
verify=false
|
||||
args="$(getopt -o '' --long verify -- "$@")"
|
||||
eval "set -- $args"
|
||||
while true; do
|
||||
case "$1" in
|
||||
--verify)
|
||||
verify=true
|
||||
shift
|
||||
;;
|
||||
--)
|
||||
shift
|
||||
break
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
# Ensure the directory for LAST_DEPENDENCIES_HASH exists
|
||||
mkdir -p /var/lib/zulip
|
||||
|
||||
SOURCES_FILE=/etc/apt/sources.list.d/ksplice.list
|
||||
STAMP_FILE=/etc/apt/sources.list.d/ksplice.list.apt-update-in-progress
|
||||
|
||||
ZULIP_SCRIPTS="$(dirname "$(dirname "$0")")"
|
||||
DEPENDENCIES_HASH=$(sha1sum "$ZULIP_SCRIPTS/setup/"*.asc "$0")
|
||||
DEPENDENCIES_HASH_FILE="/var/lib/zulip/setup-repositories-state-ksplice"
|
||||
# Ensure that DEPENDENCIES_HASH_FILE exists before hashing it.
|
||||
touch "$DEPENDENCIES_HASH_FILE"
|
||||
LAST_DEPENDENCIES_HASH="$(cat "$DEPENDENCIES_HASH_FILE")"
|
||||
|
||||
# First, we only do anything in setup-apt-repo if any of its inputs
|
||||
# (apt keys, code, etc.) changed.
|
||||
if [ "$DEPENDENCIES_HASH" = "$LAST_DEPENDENCIES_HASH" ]; then
|
||||
exit 0
|
||||
elif [ "$verify" == true ]; then
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Ensure that the sources file exists
|
||||
touch "$SOURCES_FILE"
|
||||
|
||||
# Hash it to check if the sources file is changed by the script later.
|
||||
zulip_source_hash=$(sha1sum "$SOURCES_FILE")
|
||||
|
||||
pre_setup_deps=(lsb-release apt-transport-https ca-certificates gnupg wget)
|
||||
if ! apt-get -dy install "${pre_setup_deps[@]}"; then
|
||||
apt-get update
|
||||
fi
|
||||
apt-get -y install "${pre_setup_deps[@]}"
|
||||
|
||||
SCRIPTS_PATH="$(cd "$(dirname "$(dirname "$0")")" && pwd)"
|
||||
|
||||
release=$(lsb_release -sc)
|
||||
if [[ "$release" =~ ^(buster|bionic|cosmic|disco|eoan|focal|groovy)$ ]]; then
|
||||
apt-key add "$SCRIPTS_PATH"/setup/ksplice.asc
|
||||
cat >$SOURCES_FILE <<EOF
|
||||
deb http://www.ksplice.com/apt $release ksplice
|
||||
deb-src http://www.ksplice.com/apt $release ksplice
|
||||
EOF
|
||||
else
|
||||
echo "Unsupported release $release."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ "$zulip_source_hash" = "$(sha1sum "$SOURCES_FILE")" ] && ! [ -e "$STAMP_FILE" ]; then
|
||||
echo "zulip.list file did not change; skipping apt-get update"
|
||||
else
|
||||
# We create this stamp file to ensure `apt-get update` will be run
|
||||
# the next time this script is invoked, and each time after, until
|
||||
# `apt-get update` finishes successfully.
|
||||
touch "$STAMP_FILE"
|
||||
apt-get update && rm -f "$STAMP_FILE"
|
||||
fi
|
||||
|
||||
echo "$DEPENDENCIES_HASH" >"$DEPENDENCIES_HASH_FILE"
|
||||
65
scripts/setup/ksplice.asc
Normal file
65
scripts/setup/ksplice.asc
Normal file
@@ -0,0 +1,65 @@
|
||||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||
|
||||
mQENBEoTaW8BCADXQtpKT5gzOC+/Me50Z07GHfZqkjAThrY+XGhKenklDrZA8nXe
|
||||
FDcmlmMvfeSViP5UH+X7tzjUFT2FcUh65+Onggi/J9nFIDweQXxpzDYyWCK+B0RX
|
||||
InKsq3TfEs5G0yIfYuKi/pgLYkFBls0stWC+1BS+3Lx4uDRTb/44D4LgzHKoAfy1
|
||||
Soho8nDDL1pWEpQAq/5yVSgRc1Vvs1s+CmR8zE5gVi3cfGS0kigdfZJVEdAY/w99
|
||||
t3abgYo1Eq3+Vc1bb+5DiEQZlZsWxWglQlvSyx60U2oxr05Ki+3ZyBomfFCTfL2m
|
||||
fzzJ8cyglzNhFKhyFQIHqzoPR+Sxl8ppcnEJABEBAAG0NktzcGxpY2UgQVBUIFJl
|
||||
cG9zaXRvcnkgU2lnbmluZyBLZXkgPGRldmVsQGtzcGxpY2UuY29tPokBNgQTAQgA
|
||||
IAUCShNpbwIbAwULCQgHAwQVCgkIBRYCAwEAAh4BAheAAAoJEPfKYmW21AOO/pUH
|
||||
/jKDtB3iRU2B4jii71CSFyFaz3BvJvgRMmIf53L85h3sUvqeVJiy8MoreWeoxst9
|
||||
uJBnp8W61QwolCbU6awqdZ2ywRi7JyYNopaEKptxJ3EgBYm+Dq0S7srQK0qCMdRX
|
||||
k7OrhCoJEmev7SazhpdIkMWPtRyksgktBMlwQ5/PyLyW+mP3a8ujYDjMIqzScyDV
|
||||
YBTKK8HtXaLb6Y2Fu4jinAm4YLP3XfnAyNE1Xi9fkzTBWgC4AZ4wctQWxViu6Q91
|
||||
HBB1xBjQYD6aCrPLB8/EtYO6n9UoIov6We8qwDDq7oufEKt8/uLXsomEbaWgOqAv
|
||||
wZzpU6ZHueA8JEmNQYzf6pWZAg0EXKv2DQEQANWkHff3Mp7btrQsBCfiNYNh9fi2
|
||||
0KBhtfWyDI4pyU7ZkzF0sgXZPPUquYuKbRqbqW1NghWk/SFUewfWLLsxpWDUr+9p
|
||||
ghLx2MvdKuaNfvQ/dAoiu7kevyIY4q9fiMwdtRmaCFnJVF2+XZA1z2iH6X6LcLPI
|
||||
KEWU1Xd0aWaxoFFPqjkRy+dlDxxV2xsWdEBikIM7rnA4K6NY1V7YXl4DrHLiZB9U
|
||||
4K4XuNjWxvjNFqdNUTSFnLKKDo55NmO62OvtX6QOtPkrc91efaQ+xVZwR0kk61r6
|
||||
Gon3CcDVqJMk02m9E/p8m2+LDymgmokgPtVQ9N8anfyTqw997gGaoR9FJRs1Pkko
|
||||
IW+Wnhjf2kfOYp9f7yON5nZeAHH9ngaxbqr+0A6SxnyccH9cg9mSvpX61ddk/gPm
|
||||
l40hYvGHNrnzkUOIaLx3Vngogyl6omFS7bi+t72uZifbA4U/oZhl+LUo4wiYCNAL
|
||||
XcGS2kCVKoM3MJB6mg1++gaI7y/Sw7yYfLXp+mn6GTtPiG95JyhhggFpMxx1MSW8
|
||||
+MDmaBdNoEX+q20XUuUV/nU+82QpBWgJHtX36m5kaxZ6r0q/4ZpRgLe4qj3owoI7
|
||||
gbfi5K725ijh5nfKvsayVIzqsHQWLjJ8NP1H2ZLxgem4IqGBDkhQGXrHvaHWzTb6
|
||||
ZqF54fQJkxtX/uETABEBAAG0RE9yYWNsZSBPU1MgZ3JvdXAgKE9wZW4gU291cmNl
|
||||
IFNvZnR3YXJlIGdyb3VwKSA8YnVpbGRAb3NzLm9yYWNsZS5jb20+iQI+BBMBAgAo
|
||||
BQJcq/YNAhsDBQklmAYABgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRCCVi6p
|
||||
rZhto3nfD/4vHhyoqJ+yURoGlbPjKodwC27PbmwJbjBsfhXnoR8pkCH5ZD8nA8XJ
|
||||
tLLCpvOAhSsiXODwIy5ScozkESVSQo8Ngj4KO9S0/QH14VOGqOntY2XLQhBfyoLq
|
||||
n+BMsNe4RsouP4R8u8qKGpwva0khpBaJABp+0bkMUchqdmlWvzx5cnAAwKV7+bb3
|
||||
HsriDRz3n29l0UXuKCAhweVMncZYZsvNFeLR9dVNAkCW1HkbH4WdGdKYCmUvqPVQ
|
||||
bVyB6xmt8lls2yXT7kSrigdQ3exOBqpNhoxZHuMfocUX7l3Tmd2mW0tdsbohrVzV
|
||||
nh76FrZ6EGdx4HFIK3lVPnO2a8kKbhBPj5LwAqx1AunHddZNazkHjUNjLfJAdpDP
|
||||
5KjjZgS28YJ6Y+wJ+SJ3xk0SW2X0ozSIdglsV6G/ZyRl7hFU0QNWC6uWcQQogK+F
|
||||
/BLhvPYhBk9JhAsYuZRjCmmR/ZWOQOFNBQynWKoteyiUKMN9NxmuVRoARc/sDXC4
|
||||
sGUAQcT/Jk5lupyATgBkqRWclia7aWtKQ2GKww5WxWEPILIUTDX58P5Ge9H240c6
|
||||
qB5NX/qQ7Ia76cLx2fArKrTAsnO77wQ116Zy+V32nDHcU9ZMZDgYY0ncxV3B/Cdi
|
||||
SDm8oYNI6Y8O4SefGRo8mtMkgdIld+NKD8zQ+IsZdw4ykZU15ulJArkCDQRcq/YN
|
||||
ARAAodmaW82j7/5qZiH06CeXNJRy2osQ2R7ybtDsddRqQRmBN9FTRqf71OZ+hQLI
|
||||
dLXWrcDSX4WgH8UFPjkHLFR1/znShB3Q8Cmqjk3E2lAKpiA4I6lMdPRKdGH2BAIM
|
||||
aDN9hJmXwwT6LMRTlY6NDnWD/ZqM4NcYhYc/BgTyVnIXu0TtsU0TC97uwitB58BH
|
||||
R4BLPw8wV1DlRL+9hlD6N4tTZ1mp+XYHsCc/sy5elrfUySEHeVph0f69ZpAs9uT9
|
||||
uHty8q2QNsMdjXc1LadOlbJ+N5QIWkMe6nMw2RyVzQh/jhYoDVrSw7t3qYFbJUzQ
|
||||
iCsLGJ5cn8RlUWSFcS6Vwa74vSIeGRH00Dp1Fe8L/AmewIBKPPEWrLOWFN81HVDB
|
||||
Z1kmkLwiX2gfdVytPhO0S8kPG5dMyp4xI581Kx2pqIT27q2BsLXeoFO9uygGD1Gz
|
||||
aFjadGpSE2G8yhFu3VTWpfCGf/2DV/7WLca8QPqPYC5YydT3N6FHfaK4ZCXjySjj
|
||||
bxtEQ/PTwBj76/f+fhT9xuygnMC8KDX5ZhB7bq/SYgki7M6Z4VGZdxpMdRm/Jjpq
|
||||
pK9B46ejSHVyNFkA31PpnyqVhvCHzKEY2V/JtA+aV3+h6IM1WvjexKXpbTZM4sVn
|
||||
fqHZ4am3YspRXP7MVDCsB0W7pSj/WWAZEZvMF7M2BQKRAIsAEQEAAYkCJQQYAQIA
|
||||
DwUCXKv2DQIbDAUJJZgGAAAKCRCCVi6prZhto7gSD/9ZESN0eiy9Ms9uMPCa0fRH
|
||||
dPCKz96oc9Krnsj2MNI69ENaS/j8KJ0G7X4WxMOkiefjCIAgT14xv8vz0JzZjkvL
|
||||
MeXM5EkwSDMSpyMh7CpFwTK8xvJOfHgZziEqIyFFwwtZC5anr8lPT34Heg/NAtce
|
||||
+4C4q7RmMUmXXqht2gvu0BMA4+2qbGTC3bYbWUGQZRUI6IS7CDX70CCIyEMe3oaD
|
||||
zAeMqhCIe/il4YMrFyV19MVMAfTe/H7abBPrVr9GMTViofOaWqZNrz1IM0NK2sbZ
|
||||
WKRIHRh0O6pLMHoUxxRGS0nDDKE4oSMnhzbTBkbnFB+Il85yKPZBg9bm9i1A0Kcp
|
||||
+ymwXsEI/8Zd1gBODJqMLGnimQ2wBmVHIdTHXM8xHUTX6x76XmzXzLRX5v7VgESY
|
||||
CZwQwv1F6/5FvJ35heYn4/2sNOGS89fFX7gdmCXSZe9N3UJRSc2d3jRlLMWjyFOa
|
||||
v/6PZPuJHfBzGejK/93ww5Sq5iwoMt0Gv2eD4K9t//yU0knp1sJABwRe9GfwUqOr
|
||||
6I/6Ec9dc6H8Wsy8EmtsPdXoXrl7K/Isw3vgJrF3YHau7TXIs0YBFmvyI4fdx23h
|
||||
vILSVIDnXI14+ih7od+AIQCwUS+i+KWvuQVuykMas/j3CHR6+1EM+ap+MwuKJpHE
|
||||
5d586NuHxeqt80YNMJDN0Q==
|
||||
=Y2MU
|
||||
-----END PGP PUBLIC KEY BLOCK-----
|
||||
Reference in New Issue
Block a user